A (9:43)

It's an absolute pleasure to be talking with you again, Kim. So thank you so much for having me on.

B (9:48)

I appreciate that. I appreciate that. So let's take a few moments and tell my audience about Jeff as well as tell us a little bit about Skillrex and what you're doing.

A (9:59)

Awesome. Yeah. Appreciate the opportunity. So yeah, my name is Jeff Wellgin. I'm Chief Strategist and CEO at Skillrex. We are a cyber workforce intelligence consulting firm and fun fact, I used to work with N2K Networks. We used to do this at N2K Networks and I spun the capability out last fall. So before spinning this out, I was the Chief Learning Officer at N2K for several years when we launched that as originally Cyber Vista. So I know you've had a couple of N2K folks on here, including Ethan on the Reversal interview the other day and my former boss Simone Petrella. So it's a it's an honor to be kind of amongst giants in this space.

B (10:43)

When you talk about, you know, in talent and intelligence within understanding the talent pool, etc, one would make an argument that this is kind of a unique niche out there with the market space. So how the hell did you get involved in this, man?

A (11:00)

Yeah, well, I think, you know, the, the evolution kind of came naturally over time, right. So my background in cyber security, actually the predecessor to my jump into cybersecurity. I was an intel analyst. I was in the Navy for a number of years. I was an intelligence specialist during the time of 9, 11, so 2000, 2004. I was on the USS George Washington aircraft carrier. And I was also a search and rescue swimmer. A little fun fact. So my trade at the core is analyzing information and putting the pieces of puzzles together and creating that picture. So fast forward moving out of the counterterrorism work and operational intelligence that you'd kind of do in any military environment. I had an opportunity in 2010 to join Booz Allen Hamilton doing some contracting work for the dia, helping them out with their cyber threat intelligence capabilities. So that was really my, my entry into it and we're really. My focus was really looking at national doctrines and strategic capabilities of nation states, particularly some in the Middle east, to look at capabilities. So over time that, that was really the, the core foundation of an analytic mindset around problems and solving complex issues for decision makers. And I joined Cyber vista, which became N2K. And I was pulling together, I originally started as a pulling together the Cyber Risk program for boards and executives. And that's actually the first time I met you, Kim, because we, we were out there in Camelback and you came to one of our sessions there. So that was a great opportunity to meet you and kind of, you know, put some of our content out there. But across that time, my, my role evolved and changed. So I ultimately became responsible for looking at cyber talent and using data analytics to start making more informed or smarter decisions about what to do for your workforce in this particular space with the idea that the data can actually point us to reasonable solutions or reasonable paths forward.

B (13:15)

So let's double click on that a little bit within the environment. Given that focus and given your history, I would love for you to take a half step back and tell me what are you seeing out there in the market space? What are my peers as CISOs doing? What are organizations doing? What are we not doing? What is the data showing you?

A (13:35)

The talent component is one segment, like the, when we think about talent component, like talent management the training and all that, that is just one sliver of this entire ecosystem that spans from a number of activities on the talent acquisition side with recruiting through that talent management, which means understanding job roles, understanding skills, positioning, training, upskilling people all the way through retention. And there are a number of different stakeholders in that ecosystem that expand beyond just the cyber security professionals who are kind of looking at this ecosystem.

B (14:14)

Right.

A (14:14)

Or our component of it. So I think my view is, is kind of zoomed out a little bit because I work closely with cyber security teams. It's usually a CISO who's bringing us in to help them. Because the types of CISOs who really take a lot of value in this type of work are being very strategic about their, their workforce and how they're thinking about the workforce in two years. They're not really thinking about them exactly at this moment today, but really planning for that strategic arc of positioning them for the future of the business. But that said, you know, I think once we kind of start working with clients, the, the aperture expands kind of pretty drastically and quickly. Right. To see not just where the skills are in the workforce today or where some of the challenges or opportunities are to, you know, empower professionals, but what else is kind of broken in the process or what else can be improved across that ecosystem to make improvements for the business.

B (15:18)

So let's also drill down in terms of looking at talent strategically. Jeff, I'm going to bash my profession just a little bit and when I do it hopefully from a more of a data driven way based upon your experience in the market space. What. And I know this is a total swag. What percentage of CSAs are truly beginning to embrace the concept that you have to think strategically about your talent?

A (15:49)

Yeah, I can't give you a percentage, but I can say not enough. Not enough.

B (15:55)

Would it be fair to say that it's a significant minority?

A (15:58)

I don't know if I'd say it's a significant minority or even if maybe that's an unfair judgment to say not enough. Because sometimes I think there are a lot of sisters who are thinking about it actually.

B (16:09)

I think you're being generous.

A (16:11)

But, you know, sometimes your hands are tied and I think sometimes, you know, hands are tied by budget. Right. Or, you know, looking at your talent and what you're able to provide that talent from a training or development.

B (16:23)

So I gotta push, so I gotta push back just a little bit. You know, there's a. If we're truly looking at a problem strategically and we're talking about linking into the business and showing value, then we should be able to. And we all understand that none of us prints money so that budgets are always a consideration. But what we end up is in a situation to say, if I want more budget, I need to show the value proposition associated with the training and the end result associated with the business in terms of spending this money. Training saves me dollars in recruitment, saves me having to find a new body, creates a level of loyalty within the organization, increases morale, allows me to automate other things, all of the human capital model that's out there, tons of things we can do. So when I hear that my hands are tied, my counterpoint is my hands are tied because you really aren't thinking about the problem strategically because you want the training, but you're not articulating the value of training, which therefore means you're really looking at it at best, operationally instead of strategically.

A (17:35)

Yeah.

B (17:35)

So are we just tying our own hands because we are failing to truly look at this from a value proposition standpoint or are there other factors out there and I'm the one being unfair to my colleagues who sit the chair?

A (17:49)

No, I think you're right. I think you're right and I think it's a value prop issue mostly. Right. You know, I think it's hard to communicate up to the executive suite and to the board why that investment has dividends. Right. And you say training, but it is training that's a component of it, but it's also other areas too. And I think that's, you know, one of our.

B (18:13)

Such as.

A (18:14)

So that's one of our goals at Skillrex is really to broaden the scope of this, this problem set. So people see beyond just the training component because that is and fair and

B (18:25)

that tends to be the most visible one and the most budget heavy one. But when we talk other areas and components such as.

A (18:32)

Yeah, so let me, let me kind of go on a story here. Your predecessor, Rick Howard of CSO Perspectives, you know, we used to be colleagues at N2K and Simone as well. And when Simone and I were kind of pulling together a this like cyber talent insights component around how do we baseline skills and compare that to job role expectations to identify skill gaps, it was really around to position training. Right. Maximize return on investment by focusing on the training areas where there's the most skill gap in relation to the job role expectations for where the team is at today. So when we, when we brought that up and Simone had a conversation with, with Rick, you know, he, he made this really, you know, brilliant Analogy of like, oh, it's the Moneyball approach to cyber security talent. And he was right about that. Right. So I think when what I'm looking at is a kind of this combination of that concept of Moneyball, but expanded beyond just the individual and the team to look more at the department, the business units and the industry or company at whole. So I'm positioning that we really need a Sabre metrics, like a cyber metrics for workforce across the board, which includes, you know, talent and training information. Right. Like when, when Bill James kind of created cyber or, I'm sorry, saber metrics, they were really looking at different kinds of metrics for, you know, on base percentages and things beyond just batting averages. Right. And I think cyber as a profession, or cyber workforce as a profession, more broadly speaking, needs to kind of take a different statistical approach to the entire ecosystem, not just on skill gap data, although that's kind of the easiest place to start. But you said such as, so, like, we can take data and metrics from, you know, applicant tracking systems. Time to hire and weave all that stuff in. How well are your recruitings pulling in the right talent? All the way down to retention and culture issues. So there are data sets across that entire ecosystem that if we start to correlate with, with your talent itself and skill gap data, then we can start to identify hotspots across that ecosystem that need repairing. Sometimes that's going to be training, sometimes that's going to be on the talent acquisition side, sometimes it's going to be a culture issue. And I think if we can get the data in front of decision makers so we can have powerful conversations about how do we be smart about the budget we have and focus our energy and time and investment in the most needed areas across that ecosystem, then I think we'll start making some real progress against our cyber workforce challenges.

B (21:20)

Fair enough. I'm going to push a little bit. And I'll caveat this mainly for our audience versus you, because you and I have been down this path and you know that much of what you're saying. You have a lot of agreement with me because of some of the work we've done in the past and the conversations we've had in the past. But let me play devil's advocate out there. We're not the only technology field that's out there in the environment. We're not the only group of folks that have hard skills that may be perishable, that require training within the environment. What makes us so unique that we have to go down this path? When I'll pick on my IT brethren, I'm not aware of my IT brethren having this problem or this challenge. So what is it about us other than, you know, being prima donnas, you know, and you know, you know, that forces us into this situation when the vast majority of the folks out there in it, and there are a lot more of them than us aren't needing to do this? What makes us so unique that we have to go down this path?

A (22:21)

I think. Well, first I would say, I think every profession should take an approach like this for what I'm suggesting. I think that would only make us better. Right. They did it with baseball players, for crying out loud. So, you know, if they can do it with baseball players, they could do it with any other profession, using that data to understand where to make improvements across that entire ecosystem. But I think what's a little bit unique about cyber security as a profession is we're still young, we're still a newer profession in the context of professions, especially if you compare it to the medical field. So we are, I think, still earning our sea legs a little bit of how do we do this and do it well, especially in a profession that technology changes really, really fast. And as such we need to kind of evolve with those rapid changes on our skill sets to keep up with those technological advancements. So I think that's kind of a key part.

B (23:19)

Yeah, and again, this is devil's advocate pushback here. You know, I've been, yeah, I've been hearing about how young we are for the 38 years that I've been doing this in the environment. And while statistically it is accurate compared to doctors, et cetera, it may not be as accurate in terms of just in general IT within the environment. They are older, I understand, but not much older than we are. And there's also an argument that says that an IT professional has the same rate of change that they have to deal with as we have to deal with in the environment. And while what you are describing would be useful there, there's a difference between utility and necessity. Given the shortages that we're dealing with here, given the lack of understanding as to what it takes to make a good cyber professional, we're in a situation where what you're describing feels like a necessity for us. And I'm not sure we can blame that all on the youth of our almost four decade profession within the environment. What's making us so unique here? Before I shift gears and talk about strategic planning for talent a little bit, you know, what's wrong with us.

A (24:35)

So I think what, what's different about us though, is that better? You know, I think with other professions in corporate environments, you have the, the corporate structures to support those professions. Like, and it's a little bit different with cyber security. Like, and I'm really kind of driving at HR here. You know, hr, LND specifically, that's where

B (24:59)

I was going next.

A (25:00)

Right, great. We're gonna segue into it nicely. You know, I think the lack of understanding of those supporting components of an enterprise, the HR components and the learning and development team and the around what the needs are for cybersecurity has kind of put the onus on cyber teams to figure this out by themselves. Sometimes that is out of necessity, sometimes that's out of maybe just our own prima dominant nature and you know, alpha, you know, nature as well, of just kind of being in control of some of that. But there has been for quite some time now this distance between L and D, Cyber and HR. And when we're working with customers, it's nine and a half times out of 10 we're being brought in by the cyber team, not an HR team. And when we have conversations with the HR team, they believe they've kind of got their hands around this. But if you talk to the cyber team, they're like, nope, they don't because we're doing 95% of it. Right. So I think there's some despair, or maybe despair is not a great word, but also just like some overload, right, Overload of responsibility. You have to do your day job, but then you have to figure out this workforce problem on your own too. And you know, I think that creates a sense of urgency around the problem set. Combined with, you know, the, the, the, the open positions, the supply and demand issues, and all the other things that we're seeing across this entire ecosystem. And some of the pipeline opportunities to come into this field, which you've talked about in some of your other episodes already.

B (27:12)

Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch? What if you could build the hardware, firmware and software with a vision of frictionless integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching, streamline the number of vendors you use, reduce those ever expanding costs, and instead spend your time focusing on helping your business and customers thrive? Meet Meter, the company building full stack zero trust networks from the ground up, with security at the core, at the edge, and everywhere in between. Meter Designs, deploys and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens, patching risks, and reduce the inefficiencies of traditional infrastructure. From wired, wireless and cellular to routing, switching, firewalls, DNS security, and vpn, every layer is integrated, segmented, and continuously protected through a single unified platform. And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles. Meter even buys back your old infrastructure to make switching that much easier. Go to meter.com CISOP today to learn more about the future of secure networking and book your demo. That's M e t e r.com CISOP. So let's poke at that a little bit because when we talk about thinking about talent strategically, collectively across the board and this great segue as you began to mention hr, there's an argument that says business has been thinking about talent holistically strategically because your human resources or chief people officer person is talented. Usually in most organization, a senior executive position directly reporting to the chief executive officer within the environment. That indicates a business understanding the need to think about the problem strategically. And I love what you said Jeff, in terms of that sense of HR feels it has a handle on it, yet cyber feels it doesn't have a handle on it indicates that level of disconnect between the two entities. So I've got a group of people whose job it is to think strategically about talent. And I have a profession that is at least as old, if not older than mine that has been doing this thinking strategically about talent. Yet for some reason there remains a disconnect as they think about this new talent base. Here one has to argue or consider that that's not an HR problem as much as it is a security problem in terms of us deciding and then communicating what's important to us and how we go get those important skills or abilities within the environment. It gets back to the conversation that I've had in previous podcasts and with you we've come up with these great KSAE frameworks that nobody seems to want to within the environment because every CSO thinks he or she is a special snowflake in terms of their needs for the job in the environment. So are we perpetuating the problem regarding thinking about cyber talent strategically because we won't converge on what good cyber talent looks like feels like and how it comes to being I'm curious as to your opinions on that.

A (31:21)

I think, I think that's spot on that convergence is is the problem. You know, we do have different opinions, strong opinions, some in some Cases around, you know, how or what kind of talent we need or what we're looking for in the talent, you know, and like, I'm thankful for the episodes you've had so far where you're talking about, you know, to cert or not to cert. Right? Like those, those are. That's a one little tiny component of an opinion piece that, you know, thousands of CISOs share. Right? Like where, where do they fall on that? Are they kind of on the hybrid side? Are they kind really care about certs or do I really put a lot of value in those? Or are they forced to care about certs because they need to follow like 8140 or something like that? The convergence is a problem, and we're seeing that right now, too, in the space around workforce frameworks. You know, I know you are familiar with the NICE workforce framework.

B (32:11)

Oh, yeah.

A (32:12)

But there are more and more skill frameworks popping up and right now, you know, coming fresh out of the NICE conference, you know, and as a team here at skillrex, we, we want to be able to pivot, you know, across any number of frameworks. We want to be a Rosetta Stone across them so that if you're in using the European cybersecurity skills framework or the Australian one, or the Saudi Arabian version of the nice framework, like, we can make sense of it. All right, so that is another problem set too. It's kind of like, well, what skills are important? How do you, what taxonomy are you using to articulate the skills needed for these particular job roles? Do they align with the rest of the job? Family classifications and pay banding? So, you know, that's why I say like this, this problem set is a bigger ecosystem issue because it's connected to all these things. And if we don't have the data to kind of help us zone in and, you know, converge, as you mentioned, on an approach that makes sense for this particular profession or set of professions, then I think we will continue to spiral and spin wheels in our own opinions on how to manage it on our own.

B (33:28)

I guess my next question would be. And it again gets back to articulating the value. So can we look at other industries, other talent mapping efforts, et cetera, outside of cyber, that can say, if you do this, the value proposition is you'll save in time to recruit, you'll save in, you know, cost and overhead for X, you'll increase turnover for Y. So while I can believe that doing these things will show that value, putting in a couple of bodies, the more senior ones Being paid probably in the low six figures. To focus just on this problem requires a level of commitment in terms of business value that many organizations would be struggling with and asking why do I need that? Since I got this group here called HR within the environment. So how would you go about articulating that business value to support, you know, your, your proposition to say that what you need is you need one to three people doing this full time for a certain amount of time, if not forever.

A (34:47)

Yeah, I think it's, forgive the analogy here. We need to throw the pebble in the pond. When you throw a pebble in the pond, it has a ripple effect. And the pebble for us starts with work role analysis. Really understanding the core expectations from skill sets perspective for any given job role at any given level, that's like the step one and then the ripples out from there. So once you have that data, you want to understand like, well, now I know what I need, what am I going to do with that data? Well, I can go back to my job descriptions as you mentioned, and update job descriptions based on an analysis of the expectations. But then two, you're going to want to understand where are my people compared to my expectations? So you're going to want to go through some sort of measurement, whether that is a self evaluation or through a diagnostic or using data from labs, whatever the data is that you have to start getting baseline metrics of people's current skill sets in those roles. Then you have that, you can overlay that to the skill expectations and find skill gaps. Now we're starting to get to a spot where you have value prop, return on investment. You look at your training ecosystem, you say, well, who in my training ecosystem can, can fill these critical gaps that I have on these teams or for these individuals on these teams. Right now you're positioning a better value for the organization by using your training dollars. You know, especially if it's by like being spent per head. Right. If you're looking at like a SANS model, you're going to send somebody through a SANS training. You're, you're spending per person on that, that training and that voucher. So who actually needs what kind of training? Now we're improving our actual capital expenses towards how do you utilize the training. But also you're making improvements on the overhead costs by focusing on training that matters most to the individuals or to the teams.

B (36:44)

Right.

A (36:44)

You don't want to put them through a bunch of training if they're already proficient in those areas. Let's focus on what most matters to the business where there are critical gaps. So we're spending less time in training, or should say we're spending that valuable time on the training that matters most while not spending on time on training that doesn't matter. Which means they're doing more of their job that they're hired to do. And then the ripples continue. Right now you can start to start looking at data, saying, well, let's start bringing in KPI data for the business.

B (37:18)

Makes perfect sense. So I'm going to give you the last word. What is the one thing you would either like to double down on or the one thing we haven't talked about that you would want the audience to hear?

A (37:27)

Yeah, I think I like to. It's kind of two things I would like to double down and add.

B (37:32)

Sure.

A (37:33)

So, you know, mentioned the Moneyball approach. I think, you know, what I'm positioning is that we need a new model, a data model for cyber workforce. We're trying to figure that out right now. That expands beyond just skill gap data and training. It goes into these different areas of the Workforce ecosystem, including ATS, you know, applicant tracking system, data, business APIs, bring all that stuff into one. So a model. Right. And that's where Moneyball comes in. But I really, really have been latching on to big ag, big farming and how they take approaches to create better yields for their agriculture. So I love the concept that, that big farmers use when they're using data driven data science approaches to make their farms more sustainable. So I've been using a lot of lexicon around the agriculture field of like sensors, treatments, yields and sustainability and translating that back into the cyber context. You know, so if we're thinking about big ag and sensors, they have a lot of sensors that they use to improve crop harvest. Right. And yields like soil sensors, ph levels, humidity, environmental centers, all this data that they kind of look at, we have that in cyber too. There are atss, labor market data, HRIS systems, LMS systems. There are a whole bunch of sensors we have that at our disposal that we haven't leveraged yet. If we're looking at treatments in the farming concept that could be like targeted fertilization or precision irrigation, pesticide application. Same is true on the cyber side. There are lots of treatments that we can do, including job architecture, standardization or skills assessments, learning paths, career progressions, mentorship programs, et cetera. So we have a lot of different treatments that we use in cyber to make improvements to our harvest, our harvest being our people.

B (39:36)

Right.

A (39:37)

And then the ultimate goal is to have better yields you know you want, you know in farming they're looking at crop yield per acre or input efficiency, harvest quality, et cetera. For us in the cyber profession, it could be internal mobility rates, skill proficiency increases, role readiness, retention rates. The list goes on and on. So I like that construct that agriculture uses when they're thinking about their yields and their farms and applying that in the same way to the cyber profession because I think it's pretty straightforward when we think about it in these sensors, treatments, yields, and what do you do sustainability wise across the program year over year to make your cyber workforce programs as efficient and effective as possible?

B (40:22)

And Jeff, we're going to leave it at that. Thank you so much for coming. We appreciate your time and talking to our audience about this topic.

A (40:29)

Appreciate you absolute pleasure, Kim. Thanks for having me on.

B (40:54)

And that's a wrap for today's episode. Thanks so much for tuning in and for your support. As N2K Pro subscribers, your continued support enables us to keep making shows like this one. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show Notes. Tune in next week for more expert insights and meaningful discussions from CISO perspectives. This episode was edited by Ethan Cook with content strategy provided by Mayan Plot produced by Liz Stokes, executive produced by James Jennifer Ivan, and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones and thank you for listening. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity. Meter builds full stack zero trust networks from the ground up, secure by design and automatically kept up to date. Every layer from wired and wireless to firewalls, DNS security and VPN is integrated, segmented and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's M E T E R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode. For all Cyberwire listeners.